Jun 20 2009 3:20AM GMT
Posted by: Charles Denyer
Statement on Auditing Standards No. 70,
sas70,
type II,
general controls report,
control environment,
charles denyer,
sarbanes oxley act of 2002,
SAS 70 Type I
Statement on Auditing Standards No. 70, simply known as SAS 70 to many, has had a profound impact on regulatory compliance since the passage of the Sarbanes Oxley Act in 2002. As a SAS 70 auditor for many years, i’ve been asked a broad and wide range of questions regarding the who, what, where, when and why of SAS 70 Type I and SAS 70 Type II audits. Thus, if you need to learn everything you possibly can about SAS 70, then visit the official SAS 70 Resource Guide, where a voluminous amount of information is available.
Now, with that said, let me touch on a subject that has been brought up so many times it feels like a broken record: SAS 70 PRICING. So, what do they cost? What SHOULD they cost? These are some of the questions i fielded over the years. With that said, i can tell you what my honest best assessment is for pricing on these engagements, so here you go.
A general controls SAS 70 Type I that covers no real business processes and all fieldwork can be done at one location should be between $15,000 and $25,000.
A general controls SAS 70 Type II that covers no real business processes and all fieldwork can be done at one location should be between $25,000 and $35,000. Thus, subsequent years “could” see a decrease in fees (marginal, that is) if the control environment stays somewhat static.
If you start adding in requirements to test a wide array of specific “business process” controls, the price will go up. Keep in mind, some firms may charge (and do) a slightly cheaper fee than i’ve just quoted. But remember, you get what you pay for, especially for auditors. Find that healthy medium from a quality, boutique CPA firm that specializes in SAS 70 audits and you should be fine.
Jun 19 2009 10:00PM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
service providers,
merchants,
pci qsa,
PCI DSS Level 1 compliance for merchants and service providers,
12 requirements
PCI DSS Level 1 Compliance for Merchants and Service Providers can be a daunting task, but there are a number of proactive steps to take to help mitigate and hopefully eliminate cost and time overruns.
There’s quite a bit you can do to help prepare your organization for PCI DSS Level 1 compliance, so let’s start with some of the basics and move forward in subsequent blogs.
First and foremost, READ the PCI DSS standard, from front to back. Sure, it will take some time, but you will be able to much better grasp and understand the dynamics of PCI compliance. There are 12 main requirements, each one is quite specific in their demands, so break them up and spend time truly digesting what each Requirement means.
Second, conduct a PCI DSS Readiness Assessment (either internally or preferably with a PCI QSA). Why? You need to be able to generate a gap analysis to see where your weaknesses are and what steps you will need to take to correct them. So, that’s just a start. I’ll be writing more in later blogs, so stay tuned.
To learn more about PCI compliance, visit pciassessment.org
Jun 16 2009 11:40AM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
payment card industry data security standards (PCI DSS),
service providers payment card compliance,
visa,
amex,
mastercard,
Discover Card,
jcb,
pci qsa,
qualified security assessor,
pci dss compliance,
transaction processors,
payment gateways,
web hosting providers,
data centers,
managed service providers,
ISO
PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.
In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.
So, here are some common examples of service providers:
Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)
And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.
AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.
And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.
Jun 16 2009 2:35AM GMT
Posted by: Charles Denyer
charles denyer,
sas 70 type ii audit,
PCI DSS,
payment card industry data security standards,
PCI DSS Level 1 compliance,
report on compliance,
ROC,
audits,
assessments,
cpa firm
SAS 70 audits, especially Type II reports and PCI DSS Level 1 Report on Compliance (ROC) assessments are dominating today’s regulatory compliance arena. Painfully, as a SAS 70 auditor and a PCI DSS assessor, I keep hearing people talk about these two compliance initiatives as if they are one in the same…..stop…….they are different.
Don’t get me wrong, efficiencies of scale can be had and I will talk about that in a later post, but generally speaking, this is like comparing apples to oranges. Here’s why.
The SAS 70 auditing standard is a loose and flexible standard, allowing auditors to employ (and they do) various methodologies, benchmarks, standards, and frameworks for SAS 70 audits.
The Payment Card Industry Data Security Standards (PCI DSS) requirements are much more rigid, less open to interpretation, if you will.
Ever read one SAS 70 report from a CPA firm then picked up another report on a similar company that was issued by another CPA firm? If so, you probably noticed they looked and “read” quite differently. Well, no surprise there.
Now, try that with a PCI DSS Level 1 Report on Compliance. Sure, they won’t be identical, but they’ll be much more similar than the two SAS 70 audits.
Want to learn more about SAS 70 audits and PCI DSS assessments? If so, visit the official SAS 70 Resource Guide and the Official PCI DSS Assessment Resource Guide.
Jun 3 2009 6:34PM GMT
Posted by: Charles Denyer
The investment Advisers Act of 1940,
surprise examination,
internal control report,
charles denyer,
SAS 70,
sample sas 70 type II report,
qualified custodian,
client funds,
securities,
File No. S7-09-09
The SAS 70 auditing standard is sure to become a necessary element of the proposed changes for the Investment Advisers Act of 1940. The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09). In short, this comprehensive document is proposing the use of “surprise examinations” and a “internal control report” on entities that have custody of client funds or securities or instead serves as a qualified custodian for client funds or securities.
Currently the “surprise examination” is discussed as a “written report from an independent public accountant” while the “internal control report” is being described as that of a SAS 70. At this point, what distinctions will be made, if any, between the auditing framework for the “surprise examination” and “internal control report” are not completely clear. More than likely, the SAS 70 auditing standard will be utilized for both the “surprise examination” and the “internal control report”.
You can obtain a sample SAS 70 Type II Report and list of sample custodial control objectives by visiting the SAS 70 Resource Guide.
May 31 2009 3:33PM GMT
Posted by: Charles Denyer
Maintain an Information Security Policy,
PCI DSS,
charles denyer,
SAS 70 Type I,
sas 70 type ii,
change management,
Add new tag,
policies and procedures,
requirement 12
Policies and Procedures-it’s such a common theme and phrase in today’s regulatory compliance and governance arena, so much so, i think it should have it’s own Wikipedia page. It can be an arduous undertaking in developing these documents. Furthermore, policies and procedures are becoming increasingly larger and larger in scope for compliance initiatives.
Take a look at Requirement 12 for PCI DSS compliance; Maintain an Information Security Policy. It’s quite detailed, to say the least. Furthermore, there are numerous other P&P requirements sprinkled throughout the other 11 PCI DSS requirements.
As for SAS 70, the audit’s success also depends on policies and procedures for a large range of items. A few examples of common P&P documents that may fall under the scope of a SAS 70 Type I or SAS 70 Type II audit are as follows:
Change Management P&P
An organizational wide security policy handbook with documented P&P
Backup P&P
SDLC documentation
To be blunt, most organization despise authoring these documents for a number of reasons: time, cost, or the simple inability to write effective P&P documents.
Even with that said, organizations need to be aware of the growing requirements for P&P for SAS 70, PCI DSS, and a whole host of other regulatory compliance mandates.
May 30 2009 8:26PM GMT
Posted by: Charles Denyer
Custody of Funds or Securities of Clients by Investment Advisers,
File No. S7-09-09,
charles denyer,
SAS 70,
control objectives,
investment advisors,
custodial operations,
client funds or securities along with performing custodial duties and operations,
cash and security positions,
net settlement procedures,
securities income,
market values of securities,
sample sas 70 type II report,
sas70.us.com,
investment advisers
The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09), calling for more oversight and controls over investment advisers or related persons who have custody of client funds or securities along with performing custodial duties and operations.
In short, the proposed changes will possibly require a “surprise examination” and an “internal control report” on these very entities that have custody of client funds or securities along with performing custodial duties and operations.
The proposed control objectives are as follows:
• Physical securities are safeguarded from loss or misappropriation;
• Cash and security positions are reconciled accurately and on a timely basis between the custodian and depositories, and between the custodian and accounting systems;
• Client-initiated trades are properly authorized and recorded completely and accurately in the client account;
• Securities income and corporate action transactions are processed to client accounts in an accurate and timely manner;
• Net settlement procedures for delivery and receive transactions are performed accurately;
• Documentation for the opening of accounts is received and authenticated, and established completely and accurately on the applicable system; and
• Market values of securities obtained from various outside pricing sources have been recorded accurately in client accounts.
If you want to learn more about these proposed changes and would like to receive a sample SAS 70 Type II report, then visit the official SAS 70 Resource Guide at sas70.us.com.
May 26 2009 6:22PM GMT
Posted by: Charles Denyer
payment card industry data security standards,
PCI DSS,
pci qsa,
charles denyer,
PCI DSS Level 1 compliance,
requirement 12,
policies and procedures,
pciassessment.org
Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliance can be a very arduous, time-consuming and costly undertaking for any organization. However, there are a number of proactive steps that should be put in place for helping ensure an efficient and transparent assessment process is in place.
I stress the word “transparency” because the more information you provide a PCI QSA, the better understanding her/she will have when engaging to conduct the PCI DSS Level 1 assessment on your organization.
Here are some helpful tips:
1. Develop in-depth network topology documents that clearly illustrate the cardholder environment. Do not omit any “system components” from these drawings as PCI QSA’s need a true understanding of network topology.
2. Take a hard look at Requirement 12 of the PCI DSS standards-Policies and procedures play a big and important role in ensuring compliance for PCI DSS. If you do not have these PP in place, you need to start writing them internally, or expect to pay a king’s ransom for external auditors or consultants to write these documents for you.
3. Make a list of all external, third party vendors and outsourcing entities that your organization uses. This is important because data centers and other types of managed services entities often fall into the scope of a PCI DSS assessment.
If you want to learn more about PCI DSS compliance, visit pciassessment.org
May 17 2009 9:36PM GMT
Posted by: Charles Denyer
Requirement 1: Install and maintain a firewall configuration to protect cardholder data,
charles denyer,
SANS,
NIST,
CIS,
network diagrams,
rule sets,
routers,
firewalls,
payment card industry data security standards (PCI DSS),
untrusted networks,
e-commerce,
internet access,
wireless networks
PCI DSS Compliance is growing at an astonishing rate for merchants and service providers throughout the country and the globe.
Let’s take some time to distill each of the twelve (12) core Payment Card Industry Data Security Standards (PCI DSS) Requirements. This will be the first in a 12 part series of giving you a better understanding of each of the requirements and the sub-requirements for each.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
As stated by the Payment Card Industry Data Security Standards Requirements: All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employees’ Internet access through desktop browsers, employees’ e-mail access, dedicated connection such as business to business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide
unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.”
Okay, fair enough and with that said, as a Payment Card Industry Qualified Security Assessor (PCI QSA), here’s what you need to be aware of for Requirement 1:
1. Have in place an excellent network topology diagram.
2. Make sure you develop the documented policies and procedures that are being called for in Requirement 1
3. When deploying and hardening network devices, (routers, firewalls,etc.), please keep in mind that you need to be documenting this process along with utilizing industry accepted configuration guidelines , such as SANS, NIST, CIS.
This is just a start and by no means all the items for Requirement 1, but being aware of these issues will greatly help you meet the guidelines for PCI DSS Requirement 1.
